2
Prevent or slow down BOT BruteForce attacks against SMTP and IMAP?
Question asked by Mark K. - 3/27/2023 at 3:41 PM
Answered
For the last few days the server is being hammered with botnet bruteforce attacks from so many different IPs. I lowered the abuse detection threshold down to 1 and it doesn't seem to have done much, except now the blacklist has compiled thousands and thousands of IPs that will be premanently blocked. IMAP and SMTP are still being attacked, although I blocked IMAP for the time being.

The mailserver is being a firewall, the firewall has rules blocking a lot, but pretty difficult to block incoming SMTP, so I am looking for ideas/direction on how to slow/prevent.


19 Replies

Reply to Thread
0
Kyle Kerst Replied
Employee Post
Hey Mark! Most of these brute-force attacks come in from common CIDR blocks, so what I recommend you do is set a threshold of say 4 logins, a time frame of 600 minutes or so, and a long block time. What this does is get them added to the IDS list and keeps them there for a period of time so you can review the list. After a day or so you'll start seeing those common CIDR blocks which you can then add as a CIDR block to Settings>Security>Blacklist. Once you get the major offenders blocked you'll see far fewer IDS blocks.
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Douglas Foster Replied
I am also seeing a surge in brute-force attacks on SMTP AUTH.   

All of the recent attacks appear to come from China, based on the country information that appears with IDS blocks.    If you have the ability to block based on country of origin, and don't need to communicate with the Great Firewall, you should consider blocking incoming traffic from there.
0
Mark K. Replied
I have over 2,600 entries in Blacklist, export to JSON and converting to csv was easy, converting repeat offender IPs into a CIDR was easy, but then importing back into SmarterMail isn't easy because of JSON, unless there is documentation on how to do it efficiently.

I blacklisted everything on the firewall, much easier to import with text option, still getting attacks, but slowing down a bit.

SmarterTools should consider adding a plugin like pfBlockerNG.


1
Douglas Foster Replied
Only 2600?   Mine has been running around 23,000.   My incoming gateway is configured to IDS-list after one SMTP AUTH failure, since the machine has no valid user logins.   The list had been stable for quite a while with about 4000 IDS active entries.   Recently, the list jumped to 23,000 and was still climbing.   I tried pruning the list by converting the most saturated 24-bit CIDRS from IDS blocks into Blacklist rules, only to see the list start growing again.

Your post helped me to realize that China has undertaken a massive attack, using thousands of servers to scour the Internet for accounts that can be compromised.    Last night, I implemented the advice in my previous post, and used my firewall to activate a Country-based block on SMTP traffic from China.  Non-SMTP traffic from China had been blocked previously.

With the firewall rule in place, it gives me freedom to purge my list.   Of course, if the firewall rule misses an attack source, the SmarterMail rule will put it back on the IDS list.   But a shorter list will reduce system overhead and allow me to look for other attack sources.

To do this, I sorted on the Country column of the IDS list, and started unblocking 200 names at a time.   The process is tedious, but I went to bed with the list below 14,000 entries.  

Doug Foster
1
Roger Replied
I would install a firewall such as pfSense or OPNsense in front of the mail server and also other productive systems that are accessible via the Internet.

With pfSense you can filter out known systems that are listed for such attacks with the plugin pfBlockerNG before it can even pass the firewall.

With Suricata you can also detect attacks on your protocols (as intrusion detection) and block them for a certain time.

You can also use pfBlockerNG to automatically block ASN ranges, certain CIDR blocks, etc. (native alias). You will get rid of about 90% or even more of the attacks with such a solution. What you can't get rid of are volumetric DDoS attacks, your provider has to do something about that on layer 3.

Greetings Roger
1
Kyle Kerst Replied
Employee Post
All great info here! The best solution involves a combination of approaches and I think the above information is a step in the right direction. We have some changes coming in the new version that should make a lot of this easier on you as well! One of the things noted in this thread is country blocking, which you'll be able to implement at a domain-level to restrict authentication with that domain to specific countries. We may look at doing a second pass on these areas again in the future as well so please let us know if you have any feedback along the way. 

@Doug: This lines up with the CIDR blocks I see primarily as well. Most IPs are coming out of China, Russia, Iran, etc. Once you get them blocked the traffic really slows down!
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Mark K. Replied
I am aware not a lot, I don't have too many domains on there, attacks have slowed down a bit after blocking through CIDR on pfsense with Suricata and pfBlockerNG. I've gone to the point where most of Asia or Africa get automatically dropped IPv4 and IPv6.
1
Roger Replied
I have a few basic questions about the attack here:
- Do you have multiple connections from the same IP addresses making malicious accesses to your mail server or is each IP address unique?
- Are there certain countries from which the attacks are particularly common, such as China, Vietnam, Russia, Romania, Amsterdam, etc.?
- Are there any commonalities between the attackers, for example the ASN of the IP addresses, that indicate that certain networks of providers are particularly frequently abused for this purpose?
- Which lists in pfBlockerNG do you use?
- Did you also work with GeoIP under the IPv4 tab in pfBlockerNG and create a native alias with which you can block certain attacking countries?
- Did you make advanced rules for ports 25, 443, 465, 587, 993, 995 etc. in the pfSense firewall rules where you limit the source IP and the maximum number of reestablished connections?
0
Douglas Foster Replied
To your questions about the attack characteristics:
1) There is a background flow of SMTP AUTH attacks from all over the world.   After dropping all IDS blocks for China, I still have about 3500 active IDS blocks from an A-to-Z list of countries, including my own.

2) The current wave of attacks are from China, and they included at least 20,000 unique IP addresses.,

3) They are persistent.   (My IDS blocks last for months.)   I analyzed a partial month of logs and found that some attack sources were attacking as much as 21 days after the initial attempt triggered an IDS block. 

Doug Foster

0
Kyle Kerst Replied
Employee Post
That lines up with what I've been seeing too, Doug. I've seen an IP come in, try a couple of accounts, then buzz off for months before returning to try a few more attempts on those same accounts. They're getting smart!
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Mark K. Replied
I have a few basic questions about the attack here:

- Do you have multiple connections from the same IP addresses making malicious accesses to your mail server or is each IP address unique?

Not really at this point, I set the threshold on SmarterMail to 1 failed attempt and it blocks
If SMTP AUTH failures I keep those as single IP blocks for 9 years on smartermail, if IMAP failures, I extract the ASN details and if it's a country and/or provider that I know I will never communicate with, then I block every IP under their ASN on the firewall.

I am trying to automate the email notification I get when it's IMAP, extract the IP, check against the ASN, import all IPs under the ASN into a text file and then import into the firewall as a block rule.

- Are there certain countries from which the attacks are particularly common, such as China, Vietnam, Russia, Romania, Amsterdam, etc.?

Everywhere, including the US

- Are there any commonalities between the attackers, for example the ASN of the IP addresses, that indicate that certain networks of providers are particularly frequently abused for this purpose?

Not really, although a lot in Asia and Africa and South America, some large providers like Digital Ocean who have networks across many countries, it's so easy to spin up a droplet and from there use as an attack drone

- Which lists in pfBlockerNG do you use?

PR1 thru PR4, SCANNERS and TOR

- Did you also work with GeoIP under the IPv4 tab in pfBlockerNG and create a native alias with which you can block certain attacking countries?

GeoIP only set to Top Spammers

- Did you make advanced rules for ports 25, 443, 465, 587, 993, 995 etc. in the pfSense firewall rules where you limit the source IP and the maximum number of reestablished connections?

Not at the moment, I will have to test it, do you have a recommendation on settings or example for me to look at?

One thing I am noticing is an uptick in attacks from IPv6 networks

1
Roger Replied
Marked As Answer
Hello

I would enable a synproxy in the firewall rule for all incoming TCP connections like port 25, 80, 443 etc. This way the firewall will do the 3-way handshake and reduce the impact of a syn-flood attack on your mail server. This only works for TCP and not UDP, because there is no classic connection setup like handshake (Syn, Syn-Ack, Ack).

I assume you are working with NAT here and then forwarding to the internal IP address of your Windows server with SmarterMail. In the firewall rule under WAN for this NAT you then edit it as follows under Advanced Options:

1
Roger Replied
pfBlockerNG GeoIP TopSpammer targets known sender sources for mass sending of unsolicited mails and not attackers who want to enumerate account credentials with a brute force attack.

It is relatively difficult on a Layer 3 basis only to block these actors on the basis of IP addresses already at the firewall, since in many cases they attack with individual connections per IP address via distributed systems (c2 bot network), for example.

Lists that collect such known bot IP addresses can help here.
On the other hand, such attacks are not always constant and often adapt to changing circumstances until they run out of steam because the effort is too high and you as a target too uninteresting.

There are some exciting lists here for pfBlockerNG. Go to the Feeds tab in pfBlockerNG and look at the different entries and the purpose of the lists. You can then use these for IPv4, IPv6 etc.

What you should also do is to check your blocked IP addresses here with this bulk checker and see if there are any similarities. Be it the country of origin, the ASN etc. For example, if you notice that a large part comes from the same country, then block this country for a certain time or reduce the number of connections to a minimum similar to the Tarpit principle:

https://www.infobyip.com/ipbulklookup.php

If you notice that some ASN are particularly common and exploited for these attacks, then create an entry in pfBlockerNG under IPv4 (or IPv6 if that applies) as follows:

Also: Please make sure that you have activated the floating rule for the IPv4 category in pfBlockerNG like here:
1
Roger Replied
Here is a small excerpt from my IPv4 collection:

Category: IPv4
List-Name: Priority 1
Action: Deny Both
Update Frequency: Every 2 hours


Name: Abuse_Feodo_C2 // Source: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Name: Abuse_SSLBL // Source: https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
Name: CINS_army // Source: https://cinsarmy.com/list/ci-badguys.txt
Name: DShield // Source: https://www.dshield.org/block.txt
Name: ET_Block // Source: https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Name: ET_Comp // Source: https://rules.emergingthreats.net/blockrules/compromised-ips.txt
Name: ISC_Block // Source: https://isc.sans.edu/block.txt
Name: Pulsedive_IP // Source: https://pulsedive.com/premium?key=YOURKEY&types=ip (you need a key)
Name: Spamhaus_Drop // Source: https://www.spamhaus.org/drop/drop.txt
Name: Spamhaus_eDrop // Source: https://www.spamhaus.org/drop/edrop.txt
Name: Talos_BL // Source: https://talosintelligence.com/documents/ip-blacklist
Name: Snort_BlockIP // Source: https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/014/992/original/ip_filter.blf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAU7AK5ITMFGQS4MSV%2F20220519%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220519T193727Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=efcbd09084fdd7020ff8129e38ddc33c1c75febf207471ec69532a2c78df8406

=============================================================


Category: IPv4
List-Name: Priority 2
Action: Deny Both
Update Frequency: Every 2 hours


Name: Alienvault // Source: https://reputation.alienvault.com/reputation.snort.gz

=============================================================

Category: IPv4
List-Name: Priority 3
Action: Deny Inbound
Update Frequency: Every 4 hours


Name: BlockListDE_all // Source: https://lists.blocklist.de/lists/all.txt
Name: BotScout // Source: https://botscout.com/last_caught_cache.txt
Name: DangerRulez // Source: http://danger.rulez.sk/projects/bruteforceblocker/blist.php
Name: MaxMind_BD_Proxy // Source: https://www.maxmind.com/en/high-risk-ip-sample-list

=============================================================

Category: IPv4
List-Name: Priority 4
Action: Deny Inbound
Update Frequency: Every 12 hours



Name: BDS_Ban // Source: https://www.binarydefense.com/banlist.txt
Name: Botvrij_IP // Source: https://www.botvrij.eu/data/ioclist.ip-dst.raw
Name: CCT_IP // Source: https://cybercrime-tracker.net/fuckerz.php
Name: Darklist // Source: https://www.darklist.de/raw.php
Name: HoneyPot_Bad // Source: https://www.projecthoneypot.org/list_of_ips.php?t=b
Name: HoneyPot_Com // Source: https://www.projecthoneypot.org/list_of_ips.php?t=p
Name: HoneyPot_Dict // Source: https://www.projecthoneypot.org/list_of_ips.php?t=d
Name: HoneyPot_Harv // Source: https://www.projecthoneypot.org/list_of_ips.php?t=h
Name: HoneyPot_IPs // Source: https://www.projecthoneypot.org/list_of_ips.php
Name: HoneyPot_Mal // Source: https://www.projecthoneypot.org/list_of_ips.php?t=w
Name: HoneyPot_Rule // Source: https://www.projecthoneypot.org/list_of_ips.php?t=r
Name: HoneyPot_Search // Source: https://www.projecthoneypot.org/list_of_ips.php?t=se
Name: HoneyPot_Spam // Source: https://www.projecthoneypot.org/list_of_ips.php?t=s
Name: ISC_Miner // Source: https://isc.sans.edu/api/threatlist/miner
Name: Myip_BL // Source: https://www.myip.ms/files/blacklist/csf/latest_blacklist.txt
Name: Nerd_BadIP // Source: https://nerd.cesnet.cz/nerd/data/bad_ips.txt
Name: NVT_BL // Source: http://www.ipspamlist.com/public_feeds.csv
Name: Rescure_IPBL // Source: https://rescure.me/rescure_blacklist.txt
Name: StopForumSpam_7D // Source: https://www.stopforumspam.com/downloads/listed_ip_7.zip
Name: Malc0de // Source: https://malc0de.com/bl/IP_Blacklist.txt

=============================================================


Category: IPv4
List-Name: Scanners
Action: Deny Inbound
Update Frequency: Once a day


Name: ISC_Errata // Source: https://isc.sans.edu/api/threatlist/erratasec
Name: ISC_Onyphe // Source: https://isc.sans.edu/api/threatlist/onyphe
Name: ISC_Rapid7Sonar // Source: https://isc.sans.edu/api/threatlist/rapid7sonar
Name: ISC_Shadowserver // Source: https://isc.sans.edu/api/threatlist/shadowserver
Name: ISC_Shodan // Source: https://isc.sans.edu/api/threatlist/shodan/
Name: Maltrail_Scanners_All // Source: https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt

=============================================================


Category: IPv4
List-Name: BlockListDE
Action: Deny Both
Update Frequency: Every 2 hours


Name: BlockListDE_Apache // Source: https://lists.blocklist.de/lists/apache.txt
Name: BlockListDE_Bots // Source: https://lists.blocklist.de/lists/bots.txt
Name: BlockListDE_Brute // Source: https://lists.blocklist.de/lists/bruteforcelogin.txt
Name: BlockListDE_SSH // Source: https://lists.blocklist.de/lists/ssh.txt
Name: BlockListDE_Strong // Source: https://lists.blocklist.de/lists/strongips.txt
0
WOW!!!!

It would be helpful if SmarterMail integrates a tool like this that can configure multiple public lists of BOT NET IPs to be used as a malicious botnet/IP blocking tool
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Mark K. Replied
Hey Roger,

I have quite a lot of what you posted already configured, but will make sure to update with the rest. 

Thank you very much!
Mark
1
Roger Replied
What you can do per TCP firewall rule is to set the number of different connections and the number of connections per IP.

Here you have to regulate something yourself and try it out, because if you have, for example, large customers who have, say, 200 employees at a work location and they all use the e-mail more or less simultaneously, then you have at least 200 connections from this source IP at the same time. If you now reduce that to say 100 then the others have no possibility to connect because the maximum number is already used from this source IP.



What I would recommend you to do is to have some previous alias match rules where you specify the different source countries such as China etc. from where these attacks originate from pfBlockerNG (GeoIP -> Native Alias) as the source and then in the Advanced Settings set the number of connections as follows:

Hereby you throttle down as potential source countries to a minimum. You are free to set this here for all destination ports on your server in general (i.e. destination port any) or per port such as 25, 80, 443 etc. individually with perhaps different maximum values.

Besides the GeoIP Country-Native-Aliases you can also create your own IPv4-Native-Aliases with manual ASN-entries from suspicious providers (this is independent of the country because there are providers (which I don't want to name here) which are known for this). I have already written a few words about this in my previous post.

On top you can create a traffic shaper -> Limiters in the firewall match rules that throttles the bandwidth to say for example 100 Kbit/s to spoil the fun of the particularly annoying comrades :)


You can set up the traffic shaper so that it sets the specific bandwidth of, for example, 100Kbit/s on the entire firewall rule (so if 200 connections take place at the same time, each has about 0.5 Kbit/s) or 100Kbit/s per source IP.


So feel free to play with these different methods, adjust them from day to day (or even from hour to hour) back and forth until you annoy the attackers so much that they are no longer interested or look for other ways.

You can also get a bit nasty and increase the connection delay to e.g. 800ms and also provoke a packet loss :)

The stupidest thing that could happen to you would be volumetric attacks.
0
Mark K. Replied
A lot of great info here, greatly appreciated, you gave me some additional ideas.
I do run rate limiters with traffic shapers.
I am thinking of using haproxy and based on the source, I would redirect them
So many options, again thanks!
0
Roger Replied
You are very welcome and we wish you continued success.

What you can also do is put a reverse proxy with NGINX in front and forward it with proxypass. You have to use a proxy or stream proxy depending on the service.

The nice thing about it is that you disguise the fact that there is a Windows server behind it, because you can find that out with the TTL alone when you ping your server and on the other hand you can then install iptables on the NGINX Linux server and create quite a few rules there which restricts everything that the firewall does not take out even more.

Greetings, Roger

Reply to Thread